This site uses cookies from Google to deliver its services and to analyze traffic.
Privacy overview
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously. These include the Qualified chatbot, the Marketo cookie for loading and submitting forms on the website, and page variation testing software tool.
Questions on how to best use LogicMonitor?
Come join our live training webinar every other Wednesday at 11am PST and hear LogicMonitor experts explain best practices and answer common questions. We understand these are uncertain times, and we are here to help!
Palo Alto firewalls expose a small amount of data by SNMP, but in order to get comprehensive monitoring it is necessary to also use the Palo Alto API. Therefore, you should ensure that SNMP is enabled and configured correctly on your device as well as set your Palo Alto API key as a device property in LogicMonitor.
To get your API key and set it as a device property:
This process can be initiated from the command line or browser:
From the command line, as detailed in the Palo Alto XML API manual, make a GET or POST request to the firewall’s hostname or IP addresses using the administrative credentials and type=keygen:
curl -k -X GET 'https://<firewall>/api/?type=keygen&user=<username>&password=<password>'
Copy
OR
curl -k -X POST 'https://<firewall>/api/?type=keygen&user=<username>&password=<password>'
Copy
From a browser, generate the key by entering the below URL into your address bar:
Note: Replace firewall, username, and password in the above URL with the appropriate values. Any special characters in the password must be URL encoded (your browser will most likely do this for you.)
The result will be an XML block that contains the key. The key should be formatted similar to the following: gJlQWE56987nBxIqyfa62s23RtYuIo2BgzEA9UOnlZBhU.
Copy the key value and use it as the value for a device property named paloalto.apikey.pass.
Note: Ensure this property is set on all Palo Alto devices, including the Panorama management server. It is easiest to set this property at the root level of your LogicMonitor account; this allows the DataSources to connect via the API. For more information on setting properties, see Resource and Instance Properties.
Troubleshooting: Discard Session
In some cases, Palo Alto Firewalls allow SNMP requests from a Collector to a device, but block the response from the device back to the Collector. This is evidenced by a discard session on the firewall for the response packet (that is, discard UDP from device:snmp port -> collector:highport). This discard session would then block ALL subsequent SNMP responses from the device back to the Collector that are using the same port on the Collector, until a Collector restart or other event allows the discard session to expire (after no traffic for 30-60 seconds). This could potentially result in SNMP data collection issues where traffic from a Collector to its monitored devices flows across a Palo Alto Firewall.
Possible workarounds:
Increase the Palo Alto UDP session timeout from 10 seconds to 30 seconds